What’s in a Red Team?
If you’re interested in information security, you’ve probably heard “penetration testing” and “red teaming” used interchangeably. However, for those of us actually doing red teaming, they’re not necessarily the same. So what do they mean?
Penetration testing refers to various forms of simulating attacks on systems, networks, and facilities. Some types of penetration testing include:
- Web application pentesting: Assessing web applications to find vulnerabilities or other flaws.
- Network pentesting: Assessing the security of a network, through various means. This can mean internal or external network testing.
- Physical pentesting: Assessing the physical security of a facility. Can include lock picking, spoofing/cloning RFID badges, jumping fences, and many other things.
Each of these types of penetration testing can be performed in some different contexts. In some cases, a pentester performs the test with no prior knowledge of the target environment. This is called a “black box” pentest. In other cases, the tester will be given information about the environment. This type of test is called a “white box” pentest. There is also “gray box” pentesting, which is in between the two. Additionally, black box pentesting is generally performed without informing the defensive staff. White box testing is usually performed with the knowledge of defenders.
So where does red teaming fit in?
Red teaming is a type of pentesting, but it’s different than a normal pentest in several ways. The most important aspect, in my opinion, is that a red team engagement should be adversarial. “Adversarial” means a couple different things to me:
First, red teaming should represent a real threat. Red teams should strive to attack organizations in the same way that real attackers are operating. By adapting TTPs ( Tactics, Techniques, and Procedures) from real attackers, red teams can show how an organization will fare against a real attack.
Second, red teaming should test the organization’s defenders. I find that it’s most valuable when the red team operates without the knowledge of the defenders; so that the defenders are forced to respond just like they would with a real attacker.
Lastly, a red team engagement works best when you remove scope restrictions, and allow the red team to assess the organization in whole. Attackers aren’t given restrictions when attacking an organization; red teams should be given as much leeway as possible, within the limits of the law.
Why Red Team?
Why would an organization have a pentest, as opposed to a red team exercise? When should an organization have a red team exercise?
A pentest is a good way for a company to take a look at the risks that they face. It can give a good assessment of the overall technical security of the organization, and can give the organization an idea of how effective their technical controls are at preventing common attacks.
A red team exercise is focused on one thing: demonstrating how attackers would attack the organization. A red team exercise won’t find every vulnerability that exists, and red teams are only interested in finding vulnerabilities that advance them towards the goal.
Normally, an organization should have penetration tests done for a couple years before moving to red teaming. Red teaming is most effective when an organization has a mature security practice, along with a solid defensive team that can learn from the red team’s findings.
I hope that gives you folks a bit of background into why red teaming is important, and how it differs from ordinary pentesting. Stay tuned for some war stories about my experience doing both pentesting and red teaming!